b"Evaluation Report\n\n\n\n\nOIG-13-055\nGENERAL MANAGEMENT: Treasury Has Policies and Procedures\nto Safeguard Classified Information But Implementation Needs to\nBe Improved\nSeptember 27, 2013\n\n\n\n\nOffice of\nInspector General\nDEPARTMENT OF THE TREASURY\n\x0c\x0cContents\n\n\nEvaluation Report ...................................................................................... 1\n\nBackground ..................................................................................................      2\n\nFindings.......................................................................................................    4\n\n    Classified Emails Were Often Improperly Marked ............................................                    4\n\n    Treasury\xe2\x80\x99s SF311 Reporting to the Information Security Oversight Office\n       Was Incomplete and Inaccurate ..............................................................                5\n\n    Treasury\xe2\x80\x99s Self-Inspection Program Needs Improvement..................................                         6\n\nRecommendations .........................................................................................          8\n\nAppendices\n\nAppendix     1:          Objectives, Scope, and Methodology .....................................                 11\nAppendix     2:          Management Response ........................................................             14\nAppendix     3:          Major Contributors to This Report..........................................              16\nAppendix     4:          Report Distribution ..............................................................       17\n\nAbbreviations\n\n    ISOO                 Information Security Oversight Office\n    OFAC                 Office of Foreign Assets Control\n    OIA                  Office of Intelligence and Analysis\n    OIG                  Office of Inspector General\n    OSP                  Office of Security Programs\n    SF                   Standard Form\n\n\n\n\n                         Treasury Has Policies and Procedures to Safeguard Classified Information\n                         But Implementation Needs to Be Improved (OIG-13-055)                                Page i\n\x0c         This Page Intentionally Left Blank.\n\n\n\n\nTreasury Has Policies and Procedures to Safeguard Classified Information\nBut Implementation Needs to Be Improved (OIG-13-055)                       Page ii\n\x0c                                                                                          Evaluation\nOIG\nThe Department of the Treasury\n                                                                                            Report\nOffice of Inspector General\n\n\n\n\n                        September 27, 2013\n\n                        S. Leslie Ireland\n                        Assistant Secretary for Intelligence and Analysis\n\n                        This report provides the results of our first evaluation, pursuant to\n                        Public Law 111-258, Reducing Over-Classification Act, of the\n                        Department of the Treasury\xe2\x80\x99s (Treasury) classification program.\n                        The act requires the Inspectors General of each department or\n                        agency of the United States with an officer or employee who is\n                        authorized to make original classification1 decisions to evaluate the\n                        agency\xe2\x80\x99s classification program and identify practices that may\n                        contribute to the persistent misclassification2 of material. Our first\n                        evaluation under this requirement is to be completed by\n                        September 30, 2013. A second evaluation is to be completed by\n                        September 30, 2016.\n\n                        In accordance with the act, the evaluation objectives were to\n                        (1) assess whether applicable classification policies, procedures,\n                        rules, and regulations have been adopted, followed, and effectively\n                        administered within Treasury; and (2) identify policies, procedures,\n                        rules, regulations, or management practices that may be\n                        contributing to persistent misclassification of material. In\n                        performing our work, we used applicable portions of an evaluation\n                        guide that was prepared by a working group of participating\n                        Offices of Inspector General (OIG) on behalf of the Council of the\n                        Inspectors General on Integrity and Efficiency.3 We performed our\n                        fieldwork from March 2013 to August 2013. Appendix 1 contains\n\n1\n  Original classification is the determination by an authorized official that information within specifically\ndesignated categories requires protection against unauthorized disclosure in the interest of national\nsecurity. Individuals authorized to make this original determination have original classification authority\nand are authorized in writing, either by the President, the Vice President, agency heads, or other\nofficials designated by the President. Treasury has 13 officials with original classification authority.\n2\n  Auditor Note: In the context of this report, misclassification is the act of incorrectly classifying, either\nover- or under-classifying, information.\n3\n  Department of Defense OIG, A Standard User\xe2\x80\x99s Guide for Inspectors General Conducting Evaluations\nUnder Public Law 111-258, the Reducing Over-Classification Act (Jan. 22, 2013).\n\n                        Treasury Has Policies and Procedures to Safeguard Classified Information        Page 1\n                        But Implementation Needs to Be Improved (OIG-13-055)\n\x0c                        a more detailed description of our evaluation objectives, scope, and\n                        methodology.\n\n                        In brief, we concluded that Treasury has policies and procedures in\n                        place to safeguard classified materials,4 but the implementation of\n                        these policies and procedures needs improvement. Heightened\n                        attention should be given to (1) marking classified emails; 5\n                        (2) completing the annual Standard Form (SF) 311, Agency\n                        Security Classification Management Program Data;6 and\n                        (3) complying with self-inspection requirements.7 We are making\n                        three recommendations to improve the classification management\n                        process.\n\n                        In a written response, the Assistant Secretary for Intelligence and\n                        Analysis provided corrective actions taken and planned to\n                        implement the above recommendations. The management response\n                        is summarized in the Recommendations section of the report and\n                        the text of the response is included as appendix 2. We believe the\n                        corrective actions, taken and planned, are responsive to our\n                        recommendations.\nBackground\n                        In December 2009, the President signed Executive Order 13526,\n                        Classified National Security Information, which updated\n                        classification principles, policies, and procedures and prescribed a\n\n\n4\n  The Treasury Security Manual, General Information, Treasury-wide Security Programs, describes the\nprocess of safeguarding classified materials as identifying, marking, handling, processing, storing,\ntransmitting, accounting, tracking, and destroying.\n5\n  Marking is the act of properly labeling sections of classified documents, whether paper copies or\nelectronic, to indicate (1) the overall level of classification, (2) the paragraph/portion classification,\n(3) the name or personal identifier of the classifier, (4) the reason or source of the classification, and\n(5) the date or event for declassification.\n6\n  The SF311 is used to collect data from Executive branch agencies that create and/or handle classified\nnational security information. Information to be reported includes the number of (1) individuals\ndesignated with original classification authority, (2) original and derivative classification decisions,\n(3) mandatory declassification review requests and appeals, (4) pages of decisions declassified,\n(5) internal oversight activities including self-inspections conducted, and (6) classification guides created\nand used. Classification decisions refer to any recorded information, including documents and e-mails.\n7\n  Self-inspections are internal reviews and evaluations conducted by agency management for activities\nrelated to classified information. For the Treasury classification management program, the Office of\nSecurity Programs conducts self-inspections of Treasury\xe2\x80\x99s Departmental Offices. Bureau personnel are\nresponsible for conducting self-inspections of the bureaus\xe2\x80\x99 classification management programs.\n\n                        Treasury Has Policies and Procedures to Safeguard Classified Information      Page 2\n                        But Implementation Needs to Be Improved (OIG-13-055)\n\x0c                        uniform system for classifying, safeguarding, and declassifying 8\n                        national security information. The executive order requires heads of\n                        agencies that have employees with original classification authority\n                        or who handle classified information to designate a senior agency\n                        official who is responsible for the classification management\n                        process. Within Treasury, the designated senior agency official is\n                        the Deputy Assistant Secretary for Security.9 The Deputy Assistant\n                        Secretary has oversight of the Office of Security Programs (OSP),\n                        which is located within Treasury\xe2\x80\x99s Office of Intelligence and\n                        Analysis (OIA).10\n\n                        OSP is responsible for establishing Treasury policies and\n                        procedures for classification management based on Executive\n                        Order 13526 and other federal sources. The June 2011 update to\n                        the Treasury Security Manual11 defines and implements the\n                        Department\xe2\x80\x99s classification management policies. OSP is also\n                        responsible for (1) developing security training programs,\n                        (2) monitoring compliance by Treasury\xe2\x80\x99s Departmental Offices and\n                        bureaus with federal and Treasury requirements for classified\n                        information, (3) reporting on Treasury's information security\n                        programs to the Information Security Oversight Office (ISOO),12\n                        and (4) representing Treasury interests on interagency forums.\n\n                        Public Law 111-258, Reducing Over-Classification Act, which\n                        became law on October 7, 2010, was intended to address issues\n                        highlighted by the 9/11 Commission Report. This report concluded\n                        that over-classification and inadequate information sharing\n                        contributed to the government\xe2\x80\x99s failure to prevent the attacks of\n                        9/11. The report also stated that security requirements nurtured\n                        over-classification and excessive compartmentalization of\n                        information among agencies.\n\n8\n  Declassification is the authorized change in the status of information from classified to unclassified\nbased on the duration of the national security sensitivity of the information.\n9\n  Treasury Order 105-19, Delegation of Original Classification Authority; Requirements for Downgrading\nand Declassification (June 27, 2011)\n10\n   OIA was established within Treasury by Public Law 108-177, Intelligence Authorization Act for Fiscal\nYear 2004 (Dec. 13, 2003). The office, which is headed by the Assistant Secretary for Intelligence and\nAnalysis, is responsible for the receipt, analysis, collation, and dissemination of foreign intelligence and\nforeign counterintelligence information related to the operation and responsibilities of Treasury.\n11\n   Treasury Directive Publication 15-71 (June 17, 2011)\n12\n   ISOO is an office within the National Archives and Records Administration responsible for policy and\noversight of the Government-wide security classification system.\n\n                        Treasury Has Policies and Procedures to Safeguard Classified Information      Page 3\n                        But Implementation Needs to Be Improved (OIG-13-055)\n\x0cFindings\nFinding 1              Classified Emails Were Often Improperly Marked\n                       According to the Treasury Security Manual, classifiers must ensure\n                       that the application of required markings on electronic documents\n                       include (1) subject line and paragraph/portion markings, (2) the\n                       overall classification on the top and bottom of each page, and\n                       (3) the completion of the classification authority block.13\n\n                       In the first half of fiscal year 2013, OSP personnel conducted two\n                       self-inspections that included 330 derivatively classified emails and\n                       attachments generated by 38 OIA employees. As shown in\n                       Table 1, OSP found that 4 percent of reviewed classified emails\n                       had all of the required markings and were considered properly\n                       marked. However, OSP noted that 31 percent of the emails did not\n                       contain portion markings14 and 63 percent of the emails were\n                       categorized as \xe2\x80\x9cdid not appear to be classified.\xe2\x80\x9d OSP personnel told\n                       us that this category included classified email strings with\n                       unclassified information that did not have portion markings to\n                       indicate that unclassified information was discussed. The OSP\n                       reviews also disclosed that 2 percent of the documents had\n                       markings that were not easily categorized into the other 3\n                       descriptions.\n\n     Table 1. Results of OSP\xe2\x80\x99s Self-Inspections of Derivatively Classified Emails and Attachments\n                                             Number of Documents (Percent)\n                                                                      Included\n                                                        Lacked      Information\n       Date of Self-                                   Required    that Did Not\n        Inspection                    Properly          Portion    Appear to Be                    Included\n          Report       Reviewed        Marked          Markings      Classified                   Other Errors\n     11/01/2012               121         10 (8%)        40 (33%)       64 (53%)                        7 (6%)\n     04/05/2013               209          4 (2%)        62 (30%)     143 (68%)                         0 (0%)\n     Total                    330         14 (4%)      102 (31%)      207 (63%)                         7 (2%)\n     Source: OIG\xe2\x80\x99s summary of OSP\xe2\x80\x99s self-inspection reports\n\n\n13\n   The classification authority block consists of (1) a \xe2\x80\x9cClassified By\xe2\x80\x9d line to identify who prepared the\ndocument, (2) the \xe2\x80\x9cReason for\xe2\x80\x9d or \xe2\x80\x9cDerived from\xe2\x80\x9d classification line, and (3) a \xe2\x80\x9cDeclassify On\xe2\x80\x9d line that\nindicates the length of the classification.\n14\n   The Treasury Security Manual, Chapter 3, Section 6, requires portion markings on a subject line,\nparagraph, or portion of all classified documents, whether paper or electronic, to indicate whether they\nare classified and the specific level of classification.\n\n                       Treasury Has Policies and Procedures to Safeguard Classified Information           Page 4\n                       But Implementation Needs to Be Improved (OIG-13-055)\n\x0c                      OSP personnel told us that the incomplete markings found during\n                      the self-inspections may have resulted from employees (1) not\n                      taking the time to properly mark the emails, (2) not believing that\n                      the markings were important, or (3) unintentionally \xe2\x80\x9creplying to\xe2\x80\x9d or\n                      \xe2\x80\x9cforwarding\xe2\x80\x9d an email without realizing that such actions were\n                      classification decisions. To address these issues, OSP developed a\n                      handout to remind employees that classification markings must\n                      appear on all emails.\n\n                      Treasury is responsible for ensuring that classified information is\n                      properly safeguarded. The lack of proper classification markings\n                      makes it difficult for the recipient of an email to determine the\n                      proper classification level for the information in that email.\n\nFinding 2             Treasury\xe2\x80\x99s SF311 Reporting to the Information Security\n                      Oversight Office Was Incomplete and Inaccurate\n\n                      ISOO uses data collected on the SF311 from Executive branch\n                      agencies that handle and generate classified national security\n                      information to report statistics in its annual report to the President.\n                      For fiscal years 2011 and 2012, OSP did not provide ISOO with a\n                      complete and accurate count of Treasury\xe2\x80\x99s overall derivative and\n                      original classification decisions on the SF311.\n\n                      For fiscal year 2011, OSP reported 12,733 derivative classification\n                      decisions to ISOO. However, when we performed a mathematical\n                      check of the internally submitted data by Treasury\xe2\x80\x99s Departmental\n                      Offices and bureaus to OSP,15 we found that the total was much\n                      smaller, only 6,123 decisions. For fiscal year 2012, Treasury\n                      reported 20,179 derivative classification decisions to ISOO, but we\n                      recalculated the internally submitted reports to OSP and found that\n                      the total was 20,076 decisions. In addition to these differences,\n                      we found that the Treasury totals reported to ISOO for these fiscal\n                      years also did not include derivative classification decision counts\n                      for the Office of Foreign Assets Control (OFAC), a Treasury office\n                      that regularly handles classified information.\n\n\n\n15\n  Treasury\xe2\x80\x99s Departmental Offices and bureaus are required to provide their SF311 to OSP by\nNovember 1st of each year for inclusion in Treasury\xe2\x80\x99s consolidated SF311 report to ISOO. The\nconsolidated SF311 report is to be submitted to ISOO by November 15th.\n\n                      Treasury Has Policies and Procedures to Safeguard Classified Information   Page 5\n                      But Implementation Needs to Be Improved (OIG-13-055)\n\x0c            When we asked about the differences between the number of\n            reported derivative classification decisions to ISOO and those\n            internally submitted by Treasury\xe2\x80\x99s Departmental Offices and\n            bureaus, OSP personnel could not provide an explanation as to why\n            there were discrepancies. With respect to the omission of OFAC\xe2\x80\x99s\n            derivative classification decisions, OSP personnel told us that\n            multiple requests were made to OFAC, but the data was not\n            submitted. During an interview, an OFAC employee told us that he\n            thought OFAC had filed a report for fiscal year 2011 because he\n            recalled completing the document count. However, when we asked\n            for a copy of the submission to OSP, neither OFAC nor OSP had a\n            copy. For fiscal year 2012, OFAC personnel told us that the OSP\n            request was overlooked. OFAC subsequently reported to OSP, in\n            May 2013, after we made the inquiry, that it made 7,358\n            derivative classification decisions during fiscal year 2012.\n\n            In addition to reporting incomplete derivative classification decision\n            counts in the fiscal year 2012 SF311 to ISOO, Treasury reported\n            four original classification decisions. But when we reviewed these\n            reports and supporting documentation with Treasury\xe2\x80\x99s\n            Departmental Offices and bureaus that reported the information,\n            we found that there were no original classification decisions for the\n            fiscal year. In fact, the two original classification decisions were\n            actually made in fiscal year 2013, not fiscal year 2012; and the\n            other two original classification decisions were misreported. Neither\n            were original classification decisions; they were both derivative\n            classification decisions and should have been reported as such. An\n            OSP representative told us that he questioned three of the four\n            decisions that were reported, but was assured by the reporting\n            bureau that the information was correct. OSP accepted the other\n            reported original decision as reasonably reported by the bureau.\n\nFinding 3   Treasury\xe2\x80\x99s Self-Inspection Program Needs Improvement\n            Prescribed by the Treasury Security Manual, the annual\n            self-inspection process is a key control within Treasury to ensure\n            the protection of classified information. The manual delegates the\n            methodology for conducting these self-inspections to officials\n\n\n\n\n            Treasury Has Policies and Procedures to Safeguard Classified Information   Page 6\n            But Implementation Needs to Be Improved (OIG-13-055)\n\x0c                       within Departmental Offices and bureaus.16 These officials are\n                       required to:\n\n                           \xef\x82\xb7   Document their findings and recommendations for\n                               improvement or enhancement.\n                           \xef\x82\xb7   Indicate that all reviewed records, documents, briefings, and\n                               activities complied with Executive Order 13526 and\n                               applicable implementing directives.\n                           \xef\x82\xb7   Identify noted discrepancies and indicate whether corrective\n                               action will be or have been taken.\n                           \xef\x82\xb7   Conduct and document follow-up actions taken where\n                               individual self-inspections have identified such a particular\n                               need.\n                           \xef\x82\xb7   Provide copies of corrective actions to address noted\n                               discrepancies to the Director, OSP, as necessary.\n                           \xef\x82\xb7   Conduct at least one self-inspection annually that includes\n                               document reviews if the office generates classified\n                               information.\n\n                       Overall, OSP is responsible for managing Treasury\xe2\x80\x99s classified\n                       program and is required by the Treasury Security Manual to\n                       monitor Treasury\xe2\x80\x99s compliance with federal and Treasury mandates\n                       for classified information.\n\n                       For fiscal years 2011 and 2012, we found that one Treasury\n                       bureau that generated classified information properly completed the\n                       required self-inspections while four others either did not complete\n                       the self-inspections or completed the inspections but did not retain\n                       documentation. OSP performed and documented self-inspections\n                       for those offices within Treasury\xe2\x80\x99s Departmental Offices that\n                       generated classified information, but the scope of those inspections\n                       only included emails and attachments. OSP did not review\n                       classified documents generated outside of the electronic\n                       environment and this report is based on a review of OSP\xe2\x80\x99s findings.\n\n                       OSP personnel told us they assume that bureaus are properly\n                       performing self-inspections because the bureaus should know their\n\n16\n  The Treasury Security Manual provides examples of procedures that could be taken to conduct a\nself-inspection. Examples include, but not limited to, (1) reviewing relevant security directives,\nguidelines, and instructions for currency and applicability; (2) reviewing access and control records and\nprocedures; (3) sampling actual and electronically processed original and derivative classified\ndocuments; and (4) evaluating employee training, and if needed, modifying the training.\n\n                       Treasury Has Policies and Procedures to Safeguard Classified Information     Page 7\n                       But Implementation Needs to Be Improved (OIG-13-055)\n\x0c                       responsibilities. OSP personnel also told us that they get involved\n                       only when they become aware that a bureau is not following\n                       procedures. We believe a more proactive approach by OSP is\n                       necessary to ensure that OSP and bureaus are performing and\n                       documenting self-inspections in accordance with the Treasury\n                       Security Manual.\n\nRecommendations\n                       We recommend that the Assistant Secretary for Intelligence and\n                       Analysis direct the Deputy Assistant Secretary for Security to:\n\n                       1. Remind employees who work with classified information about\n                          the requirement in the Treasury Security Manual to properly\n                          mark classified emails and provide initial training on marking\n                          requirements when an employee is first given access to\n                          Treasury classified email systems and periodic refresher training\n                          thereafter.\n\n                           Management Comments\n\n                           Training on properly marking classified information is routinely\n                           provided to employees both initially when receiving their\n                           security clearance and annually through refresher training about\n                           required markings. OSP strives to develop comprehensive and\n                           tailored training and will work more closely with Treasury\xe2\x80\x99s\n                           Departmental Offices when developing training modules and\n                           ensure that training is accessible in some form to all bureau\n                           personnel. The referenced training serves to remind employees\n                           authorized access to classified information of their obligations to\n                           properly mark and safeguard that information. OSP will review\n                           Treasury Directive Publication 15-71 with respect to marking\n                           electronic media to determine whether it should allow for the\n                           same flexibility authorized by ISOO in their implementing\n                           regulation.17\n\n\n\n\n17\n  Auditor Note: 32 CFR Part 2001, Classified National Security Information, states that classified\nnational security information in the electronic environment shall be marked with proper classification\nmarkings to the extent that such marking is practical including portion marking, overall classification,\nand the classification authority block.\n\n                       Treasury Has Policies and Procedures to Safeguard Classified Information      Page 8\n                       But Implementation Needs to Be Improved (OIG-13-055)\n\x0c    OIG Comment\n\n    Management\xe2\x80\x99s action, taken and planned, meets the intent of\n    our recommendation. Management will need to record an\n    estimated date for completing its planned actions in the Joint\n    Audit Management Enterprise System (JAMES), Treasury\xe2\x80\x99s\n    audit recommendation tracking system.\n\n2. Implement controls to ensure that an accurate and complete\n   Treasury consolidated SF311 is submitted to ISOO. OSP should\n   review Treasury\xe2\x80\x99s Departmental Offices\xe2\x80\x99 and bureaus\xe2\x80\x99 internally\n   reported information on classification decisions and other\n   classification information for reasonableness. OSP should also\n   ensure that those offices expected to have classification\n   information submit the required information for the consolidated\n   SF311.\n\n    Management Comments\n\n    OSP requests clarification when Departmental Offices and\n    bureaus submit questionable SF311 information. One office, for\n    their fiscal year 2013 reporting, agreed to use a 2-week\n    sampling to extrapolate their classification volume. Assuming\n    meaningful results come from the 2-week sampling, OSP will\n    suggest it for the largest Treasury components that generate\n    classified information starting with the fiscal year 2014 report,\n    as well as provide appropriate training to their employees on the\n    sampling requirement and methodology.\n\n    OIG Comment\n\n    Management\xe2\x80\x99s action, taken and planned, meets the intent of\n    our recommendation. Management will need to record an\n    estimated date for completing its planned actions in JAMES.\n\n3. Implement controls to ensure that Treasury bureaus with\n   employees who handle and generate classified information\n   conduct annual self-inspections in accordance with the Treasury\n   Security Manual, document the results, and submit reports to\n   the Director of OSP. In this regard, the scope of inspections\n\n\n\nTreasury Has Policies and Procedures to Safeguard Classified Information   Page 9\nBut Implementation Needs to Be Improved (OIG-13-055)\n\x0c    performed by OSP should include reviews of both emails and\n    documents created outside the electronic environment.\n\n    Management Comments\n\n    OSP performs self-inspections in Departmental Offices each\n    quarter. These include both physical and information security\n    aspects. In fiscal year 2014, OSP will start cross-training within\n    OSP to have an additional person fully trained in the information\n    security discipline. OSP will require copies of self-inspection\n    reports when they are reported by bureaus, and include this\n    requirement in Treasury Directive Publication 15-71. In addition,\n    OSP is taking steps to increase its personnel resources in the\n    information security discipline to ensure oversight of bureau\n    self-inspection and reporting requirements. OSP will also\n    consider revising the directive to clarify the responsibilities of\n    those components with few or no classified holdings, where\n    internal access procedures equate to performing daily self-\n    inspections and to have them self-inspect on other aspects of\n    their individual information security program.\n\n    OIG Comment\n\n    Management\xe2\x80\x99s action, taken and planned, meets the intent of\n    our recommendation. Treasury will need to record an estimated\n    date for completing its planned actions in JAMES.\n\n                                    ******\n\nWe appreciate the courtesies and cooperation extended by your\nstaff as we inquired about these matters. Major contributors to this\nreport are listed in appendix 3. A distribution list for this report is\nprovided as appendix 4. If you wish to discuss this report, you may\ncontact me at (202) 927-5400 or Kieu Rubb, Audit Director, at\n(202) 927-5904.\n\n\n\n/s/\nMarla A. Freedman\nAssistant Inspector General for Audit\n\n\nTreasury Has Policies and Procedures to Safeguard Classified Information   Page 10\nBut Implementation Needs to Be Improved (OIG-13-055)\n\x0c                       Appendix 1\n                       Objectives, Scope, and Methodology\n\n\n\n\n                       Public Law 111-258, Reducing Over-Classification Act, Section\n                       6(b), requires the Inspector General of each department or agency\n                       with an officer or employee who is authorized to make original\n                       classifications to (1) assess whether applicable classification\n                       policies, procedures, rules, regulations have been adopted,\n                       followed, and effectively administered; and (2) identify policies,\n                       procedures, rules, regulations, or management practices that may\n                       be contributing to persistent misclassification of material. The act\n                       called for two evaluations, this first to be completed by\n                       September 30, 2013, and the second evaluation to be completed\n                       by September 30, 2016.\n\n                       The focus of this evaluation was the Department of the Treasury\xe2\x80\x99s\n                       (Treasury) policies and procedures related to classification training,\n                       self-inspections, and the completion of the Standard Form\n                       (SF) 311, Agency Security Classification Management Program\n                       Data.\n\n                       We conducted fieldwork in Washington, DC, at the Office of\n                       Terrorism and Financial Intelligence, 18 the Office of General\n                       Counsel, the Office of International Affairs, the Office of\n                       Management, the Office of Inspector General, the Bureau of\n                       Engraving and Printing, the U.S. Mint, and the Bureau of the Fiscal\n                       Service.19 We also conducted fieldwork in Vienna, Virginia at the\n                       Financial Crimes Enforcement Network. Our evaluation did not\n                       include the Internal Revenue Service.20 Our evaluation scope\n                       covered the period from October 2010 to May 2013. We\n                       conducted our fieldwork from March 2013 through August 2013.\n\n                       To accomplish our objectives we\n\n                       \xef\x82\xb7   reviewed federal and Treasury rules, regulations, policies, and\n                           procedures, including:\n\n18\n   Treasury\xe2\x80\x99s Departmental Offices and bureaus reporting to the Office of Terrorism and Financial\nIntelligence include the Financial Crimes Enforcement Network, the Office of Terrorist Financing and\nFinancial Crimes, the Office of Intelligence and Analysis, and the Office of Foreign Assets Control.\n19\n   Our evaluation focused on the legacy Bureau of the Public Debt which in October 2012 was\nconsolidated with the legacy Financial Management Service and redesignated as the Bureau of the\nFiscal Service.\n20\n   The Internal Revenue Service, under the jurisdictional oversight of the Treasury Inspector General for\nTax Administration, does not have an individual designated with an original classification authority.\nFurthermore, our review of the Treasury SF311 process disclosed that the Internal Revenue Service\nreported zero derivative classification decisions for fiscal years 2011 and 2012.\n\n                       Treasury Has Policies and Procedures to Safeguard Classified Information    Page 11\n                       But Implementation Needs to Be Improved (OIG-13-055)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\n            o Executive Order 13526, Classified National Security\n              Information (Dec. 29, 2009)\n            o 32 CFR Part 2001, Classified National Security\n              Information (June 28, 2010)\n            o Public Law 111-258, Reducing Over-Classification Act\n              (Oct. 7, 2010)\n            o Treasury Security Manual, Treasury Directive\n              Publication 15-71 (June 17, 2011)\n            o Treasury Order 105-19, Delegation of Original\n              Classification Authority; Requirements for\n              Downgrading and Declassification (June 27, 2011).\n\xef\x82\xb7   interviewed the Deputy Assistant Secretary of Security and\n    Office of Security Programs (OSP) employees who are\n    responsible for directing and guiding the protection of\n    personnel, information, facilities, and assets; and promoting\n    security awareness within Treasury.\n\xef\x82\xb7   interviewed personnel at the various bureaus who are\n    responsible for security and training.\n\xef\x82\xb7   reviewed training materials posted on Treasury\xe2\x80\x99s internal\n    websites and paper copies of training documents and obtained\n    the 2011 and 2012 training records of Treasury officials with\n    original classification authority.\n\xef\x82\xb7   reviewed OSP\xe2\x80\x99s quarterly self-inspection reports on Treasury\xe2\x80\x99s\n    Departmental Offices from January 2011 through March 2013\n    and the Financial Crimes Enforcement Network\xe2\x80\x99s self-inspection\n    reports from fiscal years 2011 and 2012.\n\xef\x82\xb7   reviewed Treasury\xe2\x80\x99s SF311 for fiscal years 2011 and 2012\n    prepared by OSP, and related data on original classification\n    decisions and derivative classification decisions provided to OSP\n    by Treasury\xe2\x80\x99s Departmental Offices and bureaus. We\n    interviewed Treasury personnel with responsibilities for\n    completing the SF311.\n\nAs directed by the act, we coordinated our evaluation with other\nOffices of Inspector General with the intent of ensuring that our\nevaluations followed a consistent methodology to allow for cross-\nagency comparisons. In performing our work, we used applicable\nportions of an evaluation guide that was prepared by the working\n\n\n\nTreasury Has Policies and Procedures to Safeguard Classified Information   Page 12\nBut Implementation Needs to Be Improved (OIG-13-055)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\ngroup of participating Offices of Inspector General on behalf of the\nCouncil of the Inspectors General on Integrity and Efficiency.\n\nWe conducted this evaluation in accordance with Quality Standards\nfor Inspections and Evaluations issued by the Council of the\nInspectors General on Integrity and Efficiency.\n\n\n\n\nTreasury Has Policies and Procedures to Safeguard Classified Information   Page 13\nBut Implementation Needs to Be Improved (OIG-13-055)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nTreasury Has Policies and Procedures to Safeguard Classified Information   Page 14\nBut Implementation Needs to Be Improved (OIG-13-055)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nTreasury Has Policies and Procedures to Safeguard Classified Information   Page 15\nBut Implementation Needs to Be Improved (OIG-13-055)\n\x0cAppendix 3\nMajor Contributors to This Report\n\n\n\n\nKieu T. Rubb, Audit Director\nGregory J. Sullivan Jr., Audit Manager\nRegina A. Morrison, Auditor-in-Charge\nBrigit A. Hoover, Auditor\nAlex M. Taubinger, Referencer\n\n\n\n\nTreasury Has Policies and Procedures to Safeguard Classified Information   Page 16\nBut Implementation Needs to Be Improved (OIG-13-055)\n\x0cAppendix 4\nReport Distribution\n\n\n\n\nDepartment of the Treasury\n\n    Secretary of the Treasury\n    Deputy Secretary\n    Under Secretary for Terrorism and\n       Financial Intelligence\n    Deputy Assistant Secretary for Security\n    Director, Office of Security Programs\n\nInformation Security Oversight Office\n\n    Director\n\nOffice of Management and Budget\n\n    OIG Budget Examiner\n\nUnited States Senate\n\n    Chairman and Ranking Member\n    Committee on Homeland Security and Government Affairs\n\n    Chairman and Vice Chairman\n    Select Committee on Intelligence\n\n    Chairman and Ranking Member\n    Committee on Finance\n\n    Chairwoman and Vice Chairman\n    Committee on Appropriations\n\n    Chairman and Ranking Member\n    Subcommittee on Financial Services and General Government\n    Committee on Appropriations\n\n\n\n\nTreasury Has Policies and Procedures to Safeguard Classified Information   Page 17\nBut Implementation Needs to Be Improved (OIG-13-055)\n\x0cAppendix 4\nReport Distribution\n\n\n\n\nU.S. House of Representatives\n\n    Chairman and Ranking Member\n    Committee on Homeland Security\n\n    Chairman and Ranking Member\n    Permanent Select Committee on Intelligence\n\n    Chairman and Ranking Member\n    Committee on Oversight and Government Reform\n\n    Chairman and Ranking Member\n    Committee on Financial Services\n\n    Chairman and Ranking Member\n    Committee on Appropriations\n\n    Chairman and Ranking Member\n    Subcommittee on Financial Services and General Government\n    Committee on Appropriations\n\n\n\n\nTreasury Has Policies and Procedures to Safeguard Classified Information   Page 18\nBut Implementation Needs to Be Improved (OIG-13-055)\n\x0c"